Note: Cool Solutions are articles documenting additional functionality based on Univention products.
Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

VMware vSphere 5.1 provides Single Sign-On throughout a VMware vCenter instance. VMware Single Sign-On expects Microsoft Active Directory as so-called "Identity Source", but is also able to use other types of user repositories. This article describes how to use UCS 3.1 / Samba 4 instead of Microsoft Active Directory.

Known Issues

During the installation of VMware vCenter on the Windows Server the following warning might appear:

Warning 29155: The identity source was not identified automatically.

This warning can be ignored. The identity source will be added manually after the installation finished.

Configuration of VMware vCenter Single Sign-On

Start "VMware vSphere Web Client" on the Windows Server or open your vSphere-Client-URL in your browser (usually https://your-vCenter-server:9443/vsphere-client).Log in with your "admin@System-Domain"-Account that was created during installation of vCenter.

Note: You need to use "admin@System-Domain". Any other account won't be able to add "Identity Sources" at this point. So make sure the account is not disabled or deleted.

Username: PrivilegedUser@example.com (domain user with right to read LDAP)

Password of the above user

Change to Administration → Access → SSO Users and Groups → Open Groups → Add a new group (e.g. VMware Domain Admins) → Select this group and click Add Principals

A new window opens up: Select the "Identity Source" we added before (e.g. example.com) and search for your desired LDAP-group (e.g. Domain Admins), then click Add and OK.

The chosen users/groups are now able to log in with their credentials:

username@example.com

domain-user password

While using the VMware vSphere Client (not the Web Client), users can now select "Use Windows session credentials".

Note: If a user password is changed or the user is disabled/deleted in your LDAP, this will not affect an active session in VMware vSphere (Web) Client. The changes will have an effect on the next login.

Note: Don't forget to add the right to manage a vCenter server (or single VMs) for the users. This can be done via vCenter → your vCenter server → Manage → Permissions → Add permission. Otherwise the users will be able to log in, but won't see any vServers, Datacenters or Hosts.